Cisco Cisco Email Security Appliance C650 Guía Del Usuario
21-25
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 21 Email Authentication
Enabling SPF and SIDF
Note
More settings are available via the CLI. See
for
more information.
Step 6
If you choose a conformance level of SIDF-compatible, configure whether the verification downgrades
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in
the message. You might choose this option for security purposes.
Step 7
If you choose a conformance level of SPF, configure whether to perform a test against the HELO identity.
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
You might use this option to improve performance by disabling the HELO check. This can be useful
because the
spf-passed
filter rule checks the PRA or the MAIL FROM Identities first. The appliance
only performs the HELO check for the SPF conformance level.
Related Topics
•
•
Enabling SPF and SIDF via the CLI
The AsyncOS CLI supports more control settings for each SPF/SIDF conformance level. When
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
configuring the default settings for a listener’s Host Access Table, you can choose the listener’s
SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs,
based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance
sends when it rejects a message.
Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session
(ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results
for each identity check:
•
None. No verification can be performed due to the lack of information.
SIDF
The SPF/SIDF verification behaves according to RFC4406.
-The PRA Identity is determined with full conformance to the standard.
- SPF v1.0 records are treated as spf2.0/mfrom,pra.
- For a nonexistent domain or a malformed identity, a verdict of Fail is
returned.
returned.
SIDF Compatible
The SPF/SIDF verification behaves according to RFC4406 except for
the following differences:
the following differences:
- SPF v1.0 records are treated as spf2.0/mfrom.
- For a nonexistent domain or a malformed identity, a verdict of None is
returned.
returned.
NOTE: This conformance option was introduced at the request of the
OpenSPF community (www.openspf.org).
OpenSPF community (www.openspf.org).
Table 21-2
SPF/SIDF Conformance Levels
Conformance Level
Description